Ashley Madison: data breach

Ashley Madison, an extra-matrimonial website, had a major hack in August 2015.  It was reported about 37 million records were compromised.  Following revelations of the breach Ashley Madison offered a $19.00 delete option for its members which would fully wipe clean the user’s personal data, what Ashley Madison terms: hard delete.  This would include deleting uploaded pictures and personal messages in the user’s inbox and sent items.

This article will look at two issues: (i) the privacy implications, and (ii) the delete feature.

What are the privacy implications here?  Should members of the public be pleased that information related to adulaters were made released?

The hack leaked credit card transactions, accompanying names, addresses, e-mail addresses, usernames, images, and much more.  We have all the hallmarks of a classic breach here.  This data breach is no different to other breaches that have happened to other organisations.  The only major difference is the service provided by this organisation.  This is not a DIY service provider or an online news agency; this is a website that helps their user’s cheat on their partners.  What we have in this Ashley Madison data breach is the fear of spouses finding out their significant other is cheating on them which will cause many issues which is far worse than having their identity stolen.

Many people see this as a positive hack as those affected users are deemed to be awful people for cheating on their spouse.  Whether you agree or disagree with that statement it is a slippery road to start on.  Are we going to apply moral legitimacy to hacking?  There are many things that I think are moral and legal but others would disagree with.  It is a grey area society should be careful in judging as it can lend credence to groups like “Anonymous” for hacking for moral reasons.  This may encourage other groups to engage in other breaches on similar sites like Seeking Arrangements; or it may encourage groups to hack websites of what appear to be legitimate sites.  What would the public response be if an animal activist organisation who was against animals being kept as pets decided to hack Battersea Cats and Dogs home’s website and revealed details of their volunteers?

The interaction of morality can question when is it right to commit a crime.

What about the $19.00 delete option?  Why did Ashley Madison not delete user’s details when they unregistered or removed their account?

When you are a paid member of a online service (whether it is Match.com or subscribe to the Times online) deactivating your account does not necessarily mean all your information will be deleted from the organisation's database. Using this case as an example, the delete option does not fully wipe a user’s details from Ashley Madison’s server (or any server for that matter).  The delete option removed the user’s profile from being active and visible to other users only.  Records of payments were still available on the server, and it is these payment records which have details of Ashley Madison’s users (i.e. name, address, bank details).

Unfortunately, paying the $19.00 does not protect the user as information held by organisations are held on servers where it can be difficult (and expensive for organisations, it will always come down to money) to delete.  The same goes for any online service provider.  As a user of social media, I know I can deactivate my Facebook account or delete the Snapchat app but this only stops people from finding me on the application; it does not stop technical people (privileged users) who have access servers or hackers from accessing my data via the back-end servers.

For public services where organisations have sensitive data what should potential customers look for before using these services?

On the consumer end there is not much we can do to check the organisation is holding our data correctly.  Organisations may have certificates on their website but you cannot be sure that the organisation's staff are trustworthy not to do an inside job.  In the UK, organisations are extra cautious to ensure customer data is protected because they will be fined by the Information Commissioner for any data breach but this is difficult to enforce on some internationally based organisations at the moment.

If an organisation offers people monetary rewards when they find bugs on their site (so called "bug bounty") it shows the organisation are keen to combat weaknesses to their site to ensure a safe user experience.  This is one recommendation to look out for and certainly Google and Apple are very good at this.

If you have to sign up to a website always ask yourself: is the information they are asking for necessary for me to complete this transaction or sign up for their services?  If a website you are registering with to get travel updates starts asking for credit card details or family background I would not join.  Only give them what they need to know.  Now some organisations are savvy to know this so will ensure they only ask what they need to know.

Make the assessment that the information you send on internet platforms will be handled by a third party.  There is no such thing as privacy on the internet.